How does MegaLLM pricing work?

Pay only for what you use with transparent per-token pricing. We add a small markup (typically 10-20%) on top of provider costs to cover infrastructure and features. No monthly fees, no minimums. Volume discounts available for enterprise usage with over 10M tokens per month.

How quickly can I migrate from OpenAI?

Migration takes less than 5 minutes. Our API is OpenAI-compatible - just change your base URL and API key. We provide migration scripts for Python, Node.js, and popular frameworks. Your existing prompts and parameters work without modification.

Which models and providers do you support?

Access 70+ models including GPT-5/4/3.5, Claude 4/3/3.5, Gemini Pro/Ultra, Llama 4, Mistral, Command R+, and more. We add new models within 24-48 hours of release. Custom model endpoints and fine-tuned models are also supported.

How do fallbacks and retries work?

Configure primary and backup models with automatic failover on errors, rate limits, or timeouts. Set fallback chains (e.g., GPT-5 → Claude → Gemini) with configurable retry logic. Transparent to your application - same response format regardless of which model responds.

Privacy Policy - MegaLLM | Data Protection & Security

1. INTRODUCTION

1.1 About This Privacy Policy

Welcome to MegaLLM. This Privacy Policy explains how Ghostlytics Payments Private Limited ("MegaLLM," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our unified API gateway service (the "Service").

1.2 Our Commitment to Privacy

At MegaLLM, we are committed to protecting your privacy and ensuring the security of your personal information. We believe in transparency about our data practices and giving you control over your information.

Key Privacy Principles:

Data Minimization: We collect only what we need to provide the Service
Transparency: We clearly explain what data we collect and why
Control: You have control over your data with easy-to-use privacy settings
Security: We implement industry-standard security measures to protect your data
No Logging by Default: We do NOT log your AI prompts or completions unless you opt-in
No Data Sales: We do not sell, rent, or trade your personal information to third parties

1.3 Scope of This Policy

This Privacy Policy applies to:

Our website at megallm.io
Our API service at ai.megallm.io
Our dashboard and account management interfaces
Any other services that link to this Privacy Policy

This Privacy Policy does NOT apply to:

Third-party websites or services (even if linked from our Service)
Model Providers' data practices (see their respective privacy policies)
Information you choose to share publicly

1.4 Agreement to This Policy

By using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

1.5 Terms of Service

This Privacy Policy should be read in conjunction with our Terms of Service (available at megallm.io/legal). Capitalized terms not defined in this Privacy Policy have the meanings given in the Terms of Service.

2. INFORMATION WE COLLECT

We collect several types of information to provide and improve the Service.

2.1 Information You Provide Directly

A. Account Registration Information

When you create an account, we collect:

Email address (required)
Full name (individual accounts)
Company name (business accounts)
Password (stored in hashed form, never in plain text)
Phone number (optional, for account security and support)

B. Profile Information

You may optionally provide:

Profile picture
Job title
Company website
Location (country/region)
Use case description

C. Payment Information

For paid services, we collect:

Credit/debit card information (processed and stored by Stripe, not by us)
Billing address
VAT number (for EU businesses)
Tax identification information (as required by law)

D. Communications

When you contact us, we collect:

Content of your messages (emails, support tickets, chat messages)
Attachments you send
Feedback and survey responses

E. API Inputs (Prompts)

BY DEFAULT, WE DO NOT COLLECT OR STORE YOUR API INPUTS (PROMPTS).

If you opt-in to logging for debugging or analytics purposes:

We collect the text of your prompts
You can disable logging at any time
Logged prompts are encrypted and retained per your settings (7-90 days)

2.2 Information Collected Automatically

A. Usage Data

When you use the Service, we automatically collect:

API Usage Metadata:

Timestamp of requests
Model selected
Token counts (input and output)
Request duration and latency
HTTP status codes
Error messages (technical only, no prompt content)

Service Interactions:

Features used
Dashboard pages visited
Documentation accessed
Time spent on pages
Click patterns

B. Device and Technical Information

Device Information:

Device type (desktop, mobile, tablet)
Operating system and version
Browser type and version
Screen resolution

Network Information:

IP address
Approximate geographic location (derived from IP address)
Internet service provider
Connection type

Log Data:

Access times and dates
Referrer URLs
User agent strings

C. Cookies and Similar Technologies

We use cookies and similar tracking technologies (see Section 9 for details):

Session cookies (essential for service functionality)
Persistent cookies (for preferences and analytics)
Local storage (for dashboard settings)

2.3 Information from Third Parties

A. Authentication Providers

If you sign up using third-party authentication (e.g., Google Sign-In, GitHub OAuth):

We receive basic profile information (name, email, profile picture)
You control what information is shared through the authentication provider's settings

B. Payment Processor

Our payment processor, Stripe, shares:

Transaction success/failure status
Last 4 digits of card numbers
Card brand (Visa, Mastercard, etc.)
Billing address verification results

C. Model Providers

Model Providers may share:

Usage statistics for your account
Error or abuse reports
Compliance-related information

2.4 Information We Do NOT Collect

Unless you explicitly opt-in, we do NOT collect:

Your AI prompts (inputs)
AI-generated completions (outputs)
Keystroke data or screen recordings
Precise geolocation data
Biometric information
Sensitive personal information (health data, financial account numbers, government IDs, etc.)

2.5 Inferences and Derived Data

We may derive or infer information from the data we collect:

Usage patterns and trends
Service performance metrics
Anomaly detection (for security and abuse prevention)
Account risk scores (for fraud prevention)

This derived information is typically aggregated and anonymized.

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

We use your information to:

A. Provide and Maintain the Service

Process your API requests
Route requests to appropriate Model Providers
Authenticate and authorize access
Maintain your account and preferences
Provide customer support

B. Billing and Payments

Calculate usage-based charges
Process payments and refunds
Generate invoices and receipts
Detect and prevent payment fraud
Comply with tax and financial regulations

C. Improve the Service

Analyze usage patterns to improve features
Identify and fix bugs and technical issues
Develop new features and capabilities
Optimize performance and reliability
Conduct A/B testing (with aggregated, anonymized data)

D. Communicate with You

Send service-related notifications (e.g., API errors, account issues)
Respond to your inquiries and support requests
Send security alerts and policy updates
Provide product updates and feature announcements
Send marketing communications (with your consent; you may opt-out)

E. Security and Fraud Prevention

Detect and prevent unauthorized access
Identify and stop abusive behavior
Investigate security incidents
Enforce our Terms of Service and Acceptable Use Policy
Protect against fraud and illegal activity

F. Comply with Legal Obligations

Respond to legal process (subpoenas, court orders)
Comply with applicable laws and regulations
Protect our legal rights and interests
Cooperate with law enforcement when required

3.2 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

A. Contractual Necessity

To provide the Service you requested
To fulfill our obligations under the Terms of Service

B. Legitimate Interests

Service improvement and optimization
Fraud prevention and security
Network and information security
Direct marketing (with easy opt-out options)
Business analytics and insights

C. Consent

Marketing communications (express consent)
Optional data collection features (e.g., logging API prompts)
Non-essential cookies and tracking

D. Legal Obligation

Compliance with applicable laws
Tax and financial reporting
Response to legal process

You have the right to object to processing based on legitimate interests. See Section 7 and Section 11 for more information on your rights.

3.3 Automated Decision-Making and Profiling

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

We may use automated systems for:

Fraud detection and risk scoring (manual review for account actions)
Abuse detection (flagging for manual review)
Service optimization (A/B testing with aggregated data)

If you are flagged by automated systems, we will conduct manual review before taking action that affects your account.

4. HOW WE SHARE YOUR INFORMATION

4.1 We Do Not Sell Your Information

WE DO NOT SELL, RENT, OR TRADE YOUR PERSONAL INFORMATION TO THIRD PARTIES FOR THEIR MARKETING PURPOSES.

4.2 Sharing with Service Providers

We share information with trusted third-party service providers who perform services on our behalf:

A. Model Providers

What We Share: Your API inputs (prompts) are sent to Model Providers to generate responses
Why: To provide the core Service functionality
Control: You choose which models to use; Model Providers have their own data policies
Examples: OpenAI, Anthropic, Google, Meta, and other AI model providers

B. Infrastructure and Hosting Providers

What We Share: Technical data necessary for hosting and delivering the Service
Why: To maintain reliable infrastructure
Examples: Cloud hosting providers (AWS, Google Cloud, etc.), CDN providers

C. Payment Processors

What We Share: Payment information, billing details
Why: To process payments and manage subscriptions
Provider: Stripe (see https://stripe.com/privacy)

D. Analytics Providers

What We Share: Anonymized usage data, technical information
Why: To analyze Service performance and user experience
Examples: Google Analytics (anonymized), internal analytics tools

E. Communication Tools

What We Share: Email address, message content (when you contact us)
Why: To provide customer support and send service communications
Examples: Email service providers, support ticketing systems

F. Security and Fraud Prevention Services

What We Share: IP addresses, device information, usage patterns
Why: To detect and prevent fraud, abuse, and security threats
Examples: Anti-fraud tools, DDoS protection services

All service providers are bound by contractual obligations to protect your information and use it only for the purposes we specify.

4.3 Sharing for Legal Reasons

We may disclose your information:

A. Legal Compliance

To comply with applicable laws, regulations, or legal process
To respond to lawful requests from government authorities
To comply with valid subpoenas or court orders

B. Safety and Protection

To protect the safety, rights, or property of MegaLLM, our users, or the public
To detect, prevent, or investigate fraud, security, or technical issues
To prevent harm or illegal activity

C. Enforcement

To enforce our Terms of Service, Privacy Policy, or other agreements
To investigate violations of our policies
To protect against legal liability

4.4 Business Transfers

If MegaLLM is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction:

Your information may be transferred to the acquiring or successor entity
We will notify you via email and/or prominent notice on our Service
The acquiring entity will be bound by this Privacy Policy (or provide notice of changes)

4.5 Aggregated and Anonymized Data

We may share aggregated or anonymized data that cannot identify you:

Industry benchmarks and statistics
Usage trends and insights
Research and publications
Marketing materials

This data does not constitute personal information and is not subject to this Privacy Policy.

4.6 With Your Consent

We may share your information for other purposes with your explicit consent. You may withdraw consent at any time by contacting us at privacy@megallm.io.

5. DATA RETENTION

5.1 General Retention Principles

We retain your personal information only as long as necessary to:

Fulfill the purposes described in this Privacy Policy
Comply with legal obligations
Resolve disputes
Enforce our agreements

5.2 Account Data

While Your Account is Active:

We retain account information, profile data, and settings
You can update or delete information at any time in your account settings

After Account Deletion:

We delete or anonymize your personal information within 90 days
Some information may be retained longer for legal compliance (see Section 5.6)

5.3 API Usage Metadata

Billing Metadata:

Retained for 12 months for billing and financial reporting
Then archived for tax compliance (typically 7 years)

Performance and Analytics Metadata:

Retained for 6 months in identifiable form
Then anonymized and retained indefinitely for analytics

5.4 API Inputs and Outputs (If Logging Enabled)

BY DEFAULT: We DO NOT log your API inputs or outputs.

If You Enable Logging:

Default Retention: 30 days
Configurable Retention: You can set retention to 7, 14, 30, 60, or 90 days
Automatic Deletion: Data is automatically deleted after the retention period
Manual Deletion: You can delete logged data at any time

5.5 Support Communications

Support emails and tickets: Retained for 2 years for quality assurance and training
Chat transcripts: Retained for 1 year
After retention period: Anonymized or deleted

5.6 Legal and Compliance Retention

Some information must be retained longer to comply with legal obligations:

Financial Records: 7 years (tax compliance)
Audit Logs: 1 year (security and compliance)
Legal Hold: Indefinitely if subject to litigation or investigation

5.7 Backups

Your data may exist in backup systems for up to 90 days after deletion
Backups are securely stored and not accessible for normal operations
Backup data is deleted according to our backup retention schedule

5.8 Anonymization

When possible, we anonymize data instead of deleting it:

Anonymized data cannot be linked back to you
Anonymized data may be retained indefinitely for analytics and research
You can request deletion instead of anonymization by contacting privacy@megallm.io

6. DATA SECURITY

6.1 Our Security Commitment

We take data security seriously and implement industry-standard technical and organizational measures to protect your information from unauthorized access, use, alteration, or disclosure.

6.2 Technical Security Measures

A. Encryption

In Transit: All data transmissions use TLS 1.3 encryption
At Rest: Data stored in databases is encrypted using AES-256 encryption
API Keys: Stored using secure hashing algorithms (bcrypt)
Passwords: Hashed using bcrypt with salt

B. Network Security

Firewalls and network segmentation
DDoS protection and rate limiting
Intrusion detection and prevention systems
Regular vulnerability scanning

C. Access Controls

Role-based access control (RBAC) for internal systems
Multi-factor authentication (MFA) for employee access
Principle of least privilege
Access logging and monitoring

D. Infrastructure Security

Secure cloud hosting with tier-1 providers
Regular security patching and updates
Infrastructure as code for consistent configurations
Isolated environments for development, testing, and production

6.3 Organizational Security Measures

A. Security Policies and Procedures

Comprehensive information security policy
Incident response plan
Data breach notification procedures
Vendor security assessment process

B. Employee Training

Regular security awareness training
Data protection and privacy training
Secure coding practices training
Phishing simulation exercises

C. Background Checks

Background checks for employees with access to sensitive data
Confidentiality agreements for all employees and contractors

D. Physical Security (for owned infrastructure)

Secure data centers with restricted access
24/7 surveillance and monitoring
Environmental controls (fire suppression, cooling)

6.4 Third-Party Security

Service providers are selected based on their security practices:

Security questionnaires and assessments
Contractual data protection obligations
Regular security reviews
SOC 2 or ISO 27001 certification (where applicable)

6.5 Monitoring and Incident Response

A. 24/7 Monitoring

Security information and event management (SIEM)
Anomaly detection and alerting
Log analysis and correlation

B. Incident Response

Dedicated incident response team
Documented response procedures
Notification to affected users within 72 hours
Regulatory notifications as required by law

6.6 Security Certifications and Audits

We are committed to obtaining and maintaining industry-recognized security certifications:

SOC 2 Type II: [In Progress / Completed - Update as appropriate]
ISO 27001: [Roadmap / In Progress - Update as appropriate]
Penetration Testing: Conducted annually by independent security firms

Audit reports are available to enterprise customers under NDA.

6.7 Your Security Responsibilities

Security is a shared responsibility. You should:

Use strong, unique passwords for your account
Enable two-factor authentication (when available)
Keep your API Keys confidential and secure
Rotate API Keys regularly
Monitor your account for unusual activity
Report security concerns immediately to security@megallm.io
Keep your recovery email and phone number current

6.8 Limitations

Despite our security measures:

No system is 100% secure
We cannot guarantee absolute security
Internet transmissions are never completely secure
You use the Service at your own risk

If you believe your account has been compromised, immediately:

Change your password
Revoke and regenerate API Keys
Contact us at security@megallm.io

7. YOUR PRIVACY RIGHTS

7.1 Access and Transparency

You have the right to:

Access your personal information
Know what information we collect and how we use it
Review your account data in your dashboard

How to Access:

Most information is available in your account dashboard
For additional information, contact privacy@megallm.io

7.2 Correction and Updates

You have the right to:

Correct inaccurate personal information
Update your profile and account settings

How to Correct:

Update information directly in your account settings
Contact support@megallm.io for assistance

7.3 Deletion (Right to Erasure)

You have the right to request deletion of your personal information.

How to Delete:

Delete your account in account settings (self-service)
Contact privacy@megallm.io to request deletion

When We Will Delete:

Within 30 days of your request
Some information may be retained for legal compliance (see Section 5.6)

Exceptions:

We may retain information when necessary to:

Complete transactions or provide requested services
Detect and prevent fraud or security incidents
Comply with legal obligations
Exercise or defend legal claims

7.4 Data Portability

You have the right to receive your personal information in a structured, machine-readable format.

How to Export:

Use the "Download My Data" feature in your account settings
We provide data in JSON format
Includes account information, settings, and usage history
Available for download within 24 hours

7.5 Opt-Out and Communication Preferences

A. Marketing Communications

You may opt-out of marketing emails by:

Clicking "Unsubscribe" in any marketing email
Updating preferences in your account settings
Emailing privacy@megallm.io

B. Service Communications

You cannot opt-out of essential service communications:

Account security alerts
Billing notifications
Service updates affecting your use
Legal notices

C. Cookies

You can control cookies through:

Your browser settings
Our cookie consent manager
See Section 9 for more details

7.6 Object to Processing

You may object to processing of your personal information based on legitimate interests.

How to Object:

Contact privacy@megallm.io with your objection
Explain the reasons for your objection
We will evaluate your objection and respond within 30 days

7.7 Restrict Processing

You may request restriction of processing in certain circumstances:

You contest the accuracy of data (during verification)
Processing is unlawful, but you don't want deletion
We no longer need the data, but you need it for legal claims
You've objected to processing (pending verification of our legitimate grounds)

How to Request:

Contact privacy@megallm.io with your request

7.8 Withdraw Consent

For processing based on consent:

You may withdraw consent at any time
Withdrawal does not affect lawfulness of processing before withdrawal
We will stop processing your data for that purpose

How to Withdraw:

Adjust settings in your account dashboard (for optional features)
Contact privacy@megallm.io

7.9 Automated Decision-Making

You have the right to:

Know if automated decision-making affects you
Contest automated decisions
Request human review

Current Status: We do not use automated decision-making that produces legal or similarly significant effects.

7.10 Lodge a Complaint

If you believe we have violated your privacy rights:

First: Contact us at privacy@megallm.io to resolve the issue
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

7.11 How to Exercise Your Rights

Contact Information:

Email: privacy@megallm.io
Subject Line: "Privacy Rights Request - [Type of Request]"

Include in Your Request:

Your full name and email address associated with your account
Specific right you wish to exercise
Any additional information to help us process your request

Response Timeline:

We will acknowledge your request within 5 business days
We will fulfill requests within 30 days (may extend to 60 days for complex requests with notice)

Verification:

To protect your privacy, we will verify your identity before processing requests:

Confirm access to your account email
Answer security questions
Provide account details

No Fee:

We do not charge a fee for the first two requests per year. For excessive or repetitive requests, we may charge a reasonable administrative fee.

8. INTERNATIONAL DATA TRANSFERS

8.1 Global Operations

MegaLLM operates globally. Your information may be transferred to, stored, and processed in countries other than your country of residence, including:

United States
European Union member states
Other countries where we, our affiliates, or service providers operate

8.2 Data Protection Standards

When we transfer your personal information internationally:

We ensure appropriate safeguards are in place
We comply with applicable data protection laws
We use approved transfer mechanisms

8.3 Transfer Mechanisms

We rely on the following mechanisms for international data transfers:

A. Standard Contractual Clauses (SCCs)

EU Commission-approved Standard Contractual Clauses
UK International Data Transfer Agreement (IDTA)
Contractual commitments with service providers

B. Adequacy Decisions

Transfers to countries with adequacy decisions by the EU Commission or UK
As of 2025, this includes countries like Japan, Israel, Canada, etc.

C. Derogations

Explicit consent for specific transfers
Necessary for contract performance
Important reasons of public interest

8.4 EU-U.S. Data Transfers

For transfers from the EU/EEA to the United States:

We use Standard Contractual Clauses
We conduct transfer impact assessments
We implement supplementary measures (encryption, access controls)

8.5 Regional Data Routing (Enterprise Feature)

Enterprise customers may request regional data routing:

EU Routing: Data stays within the European Union
US Routing: Data stays within the United States
Additional fees may apply
Contact sales@megallm.io for details

8.6 Data Localization

If you are located in a jurisdiction with data localization requirements:

We will comply with applicable data localization laws
Contact us at privacy@megallm.io if you have specific localization needs

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website or use our Service. We use cookies and similar technologies (web beacons, pixels, local storage) to provide, protect, and improve the Service.

9.2 Types of Cookies We Use

A. Essential Cookies (Required)

These cookies are necessary for the Service to function:

Session Management: Keep you logged in
Security: Prevent fraud and protect your account
API Authentication: Authenticate API requests
Load Balancing: Distribute traffic efficiently

Essential cookies cannot be disabled without affecting Service functionality.

B. Performance Cookies (Optional)

These cookies help us understand how the Service is used:

Analytics: Usage patterns, popular features, error rates
Performance Monitoring: Page load times, API latency
A/B Testing: Compare different versions of features

C. Functional Cookies (Optional)

These cookies enable enhanced functionality:

Preferences: Remember your settings and preferences
Personalization: Customize your experience
Language: Remember your language preference

D. Advertising Cookies (If Applicable)

Currently, we do NOT use advertising cookies. If this changes:

We will update this Privacy Policy
We will obtain your consent before using advertising cookies

9.3 Cookie Lifespan

Session Cookies:

Deleted when you close your browser
Used for authentication and session management

Persistent Cookies:

Remain on your device for a set period or until deleted
Essential Cookies: Up to 1 year
Performance/Functional Cookies: Up to 2 years

9.4 Third-Party Cookies

We use cookies from trusted third-party services:

A. Google Analytics (if enabled)

Provides website analytics and usage insights
Anonymized by default (IP anonymization enabled)
Privacy Policy: https://policies.google.com/privacy
Opt-out: https://tools.google.com/dlpage/gaoptout

B. Stripe (payment processing)

Enables secure payment processing
Required for payment functionality
Privacy Policy: https://stripe.com/privacy

9.5 Managing Cookies

You have control over cookies:

A. Cookie Consent Manager

Accept or reject non-essential cookies when you first visit
Change preferences anytime by clicking the cookie icon in the footer
Preferences are saved for 12 months

B. Browser Settings

Most browsers allow you to:

View cookies stored on your device
Delete cookies
Block all cookies
Block third-party cookies only

How to Manage Cookies in Popular Browsers:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Cookies and Website Data
Edge: Settings > Cookies and Site Permissions

Warning: Blocking essential cookies will prevent you from using the Service.

C. Opt-Out Links

Google Analytics: https://tools.google.com/dlpage/gaoptout
Network Advertising Initiative: https://optout.networkadvertising.org/

9.6 Do Not Track (DNT)

Some browsers have a "Do Not Track" feature. Currently:

There is no industry standard for DNT
We do not respond to DNT signals
You can control cookies through your browser settings and our cookie consent manager

9.7 Local Storage

In addition to cookies, we use browser local storage to:

Save dashboard preferences
Cache API responses for performance
Store application state

You can clear local storage through your browser settings.

9.8 Mobile App Tracking (If Applicable)

Currently, we do not have a mobile app. If we release a mobile app:

We will update this Privacy Policy
Mobile app privacy practices will be described
You will have controls over mobile tracking

9.9 Changes to Cookie Practices

If we make material changes to how we use cookies:

We will update this Privacy Policy
We will notify you via email or prominent notice
We will obtain consent for new cookie uses (where required)

10. CHILDREN'S PRIVACY

10.1 Age Restriction

The Service is NOT directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages.

10.2 Parental Consent

If you are under 18 years old (or the age of majority in your jurisdiction), you may use the Service only with the consent and supervision of a parent or legal guardian.

10.3 If We Learn of Child Data

If we become aware that we have collected personal information from a child under 13 (or 16 in the EEA) without parental consent:

We will delete the information as quickly as possible
We will terminate the associated account
We will notify the account email address

10.4 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal information:

Contact us immediately at privacy@megallm.io
Subject line: "Child Privacy Concern"
We will promptly investigate and delete the information

10.5 School Use

If a school or educational institution wishes to use the Service for students under 18:

The institution must obtain appropriate parental consent
The institution acts as the data controller
A separate agreement may be required
Contact us at education@megallm.io for details

12. CALIFORNIA RESIDENTS (CCPA/CPRA)

12.1 Scope

This section supplements our general Privacy Policy and applies only to California residents.

12.2 Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information:

Category	Examples	Collected
A. Identifiers	Name, email, IP address, account ID	YES
B. Personal Information (Cal. Civ. Code § 1798.80(e))	Name, address, telephone number	YES
C. Protected Classifications	Age (18+), gender	NO
D. Commercial Information	Purchase history, payment records	YES
E. Biometric Information	Fingerprints, faceprints	NO
F. Internet/Network Activity	Browsing history, API usage	YES
G. Geolocation Data	Approximate location (IP-based)	YES (approximate only)
H. Sensory Data	Audio, visual recordings	NO
I. Professional/Employment	Job title, company name	YES (if provided)
J. Education Information	N/A	NO
K. Inferences	Usage preferences, interests	YES (derived from usage)
L. Sensitive Personal Information	See Section 12.3	LIMITED

12.3 Sensitive Personal Information

We collect limited sensitive personal information:

Account Credentials: Password (hashed, not stored in plain text)
Payment Information: Credit card numbers (processed by Stripe, not stored by us)

We do NOT collect:

Social Security numbers, driver's license numbers, or state ID numbers
Precise geolocation data
Racial or ethnic origin, religious beliefs, union membership
Mail, email, or text message contents (except when you send them to us)
Genetic data, biometric data for identification
Health data, sex life, or sexual orientation data

12.4 Sources of Personal Information

We collect personal information from:

Directly from you (account registration, API usage)
Automatically from your device (cookies, usage data)
Third parties (authentication providers, payment processors)

12.5 Business or Commercial Purposes

We use personal information for:

Providing the Service
Payment processing
Security and fraud prevention
Service improvement
Communications
Legal compliance

See Section 3 for detailed purposes.

12.6 Categories of Third Parties We Share With

We share personal information with:

Service providers (Model Providers, hosting, payment processing)
Professional advisors (legal, accounting)
Law enforcement (when required)

See Section 4 for details.

12.7 We Do NOT Sell or Share Personal Information

WE DO NOT SELL YOUR PERSONAL INFORMATION.

We do NOT:

Sell personal information for monetary consideration
Share personal information for cross-context behavioral advertising
Share personal information with third parties for their direct marketing purposes

We have NOT sold or shared personal information in the preceding 12 months.

12.9 Your California Privacy Rights

California residents have the following rights:

A. Right to Know (CCPA § 1798.100)

You have the right to request:

Categories of personal information collected
Categories of sources
Business or commercial purposes
Categories of third parties we share with
Specific pieces of personal information we've collected

B. Right to Delete (CCPA § 1798.105)

You have the right to request deletion of your personal information, subject to certain exceptions.

C. Right to Correct (CPRA § 1798.106)

You have the right to correct inaccurate personal information.

D. Right to Non-Discrimination (CCPA § 1798.125)

We will not discriminate against you for exercising your privacy rights.

12.10 How to Exercise Your Rights

Submit a Request:

Email: privacy@megallm.io
Subject: "California Privacy Rights Request"

Response Timeline:

We will acknowledge your request within 10 days
We will respond within 45 days (may extend by 45 days with notice)

No Fee: We do not charge a fee for the first two requests per year.

12.8 We Do NOT Sell or Share Personal Information of Minors

We do NOT sell or share personal information of consumers under 16 years of age.

12.11 Authorized Agents

You may designate an authorized agent to make requests on your behalf:

Agent must provide written authorization signed by you
We may require you to verify your identity directly with us
We may deny requests from agents who cannot provide proof of authorization

12.12 Shine the Light Law

Under California Civil Code § 1798.83 ("Shine the Light"), California residents may request information about our disclosure of personal information to third parties for direct marketing purposes.

We do NOT share personal information with third parties for their direct marketing purposes.

12.13 California Online Privacy Protection Act (CalOPPA)

We comply with CalOPPA:

We have a Privacy Policy
Our Privacy Policy link includes the word "Privacy"
Our Privacy Policy is accessible from our homepage

12.14 Do Not Track (DNT)

We do not respond to DNT signals. California law requires this disclosure.

13. DATA BREACH NOTIFICATION

13.1 Breach Response Commitment

We take data security seriously. In the event of a data breach affecting your personal information, we are committed to transparent and timely notification.

13.2 What Constitutes a Data Breach

A data breach includes:

Unauthorized access to or acquisition of personal information
Accidental or unlawful destruction, loss, or alteration of personal information
Unauthorized disclosure of personal information

13.3 Notification Timeline

To Affected Users:

We will notify you within 72 hours of discovering a breach that affects your data
Notification will be sent to the email address associated with your account

To Regulatory Authorities:

We will notify relevant data protection authorities as required by law (e.g., within 72 hours under GDPR)
We will comply with state breach notification laws (e.g., California requires notification without unreasonable delay)

13.4 Notification Content

Our notification will include:

Nature of the Breach: What happened and how it occurred
Data Affected: What types of personal information were involved
Potential Consequences: What risks the breach poses to you
Actions Taken: Steps we've taken to address the breach and prevent future breaches
Actions You Should Take: Recommended steps to protect yourself (e.g., password reset, monitor accounts)
Contact Information: How to contact us with questions or concerns

13.5 Exceptions

We may delay notification if:

Law enforcement requests a delay for investigation purposes
Immediate notification would interfere with an ongoing investigation
Notification would cause additional harm

We will notify you as soon as it is safe to do so.

13.6 Your Actions After a Breach

If you receive a breach notification from us:

Read the notification carefully
Follow recommended protective actions
Change your password immediately
Revoke and regenerate API Keys
Monitor your accounts for suspicious activity
Consider enabling additional security measures (e.g., MFA)
Contact us if you have questions or concerns

13.7 False Breach Reports

If we become aware of a false breach report:

We will investigate immediately
We will notify you if you were incorrectly notified
We will clarify that your data was not compromised

13.8 Reporting a Suspected Breach

If you suspect a data breach or security incident:

Report immediately to: security@megallm.io
Subject line: "Security Incident Report"
Include: Details of the suspected breach, affected accounts, evidence

13.9 Breach Log

We maintain an internal log of data breaches for compliance and accountability. Enterprise customers may request breach history (under NDA) for vendor risk assessments.

14. THIRD-PARTY SERVICES

14.1 Model Providers

Our Service integrates with third-party AI Model Providers. When you use a model:

Your API inputs are sent to the Model Provider for processing
The Model Provider processes your inputs according to their own privacy policy
We do not control Model Providers' data practices

Key Model Providers and Their Privacy Policies:

OpenAI: https://openai.com/policies/privacy-policy
Anthropic: https://www.anthropic.com/privacy
Google Cloud AI: https://cloud.google.com/terms/cloud-privacy-notice
Meta (Llama): https://ai.meta.com/llama/privacy-policy

Your Responsibility:

Review Model Provider privacy policies
Understand how Model Providers handle your data
Comply with Model Provider terms and policies

14.2 Payment Processor (Stripe)

We use Stripe, Inc. for payment processing:

Privacy Policy: https://stripe.com/privacy
What Stripe Receives: Payment information, billing details
What We Receive from Stripe: Transaction status, last 4 digits of card, billing verification results
Card Security: Stripe is PCI-DSS compliant; we do not store full card numbers

14.3 Analytics Services

We may use analytics services to understand Service usage:

Google Analytics (if enabled)

Privacy Policy: https://policies.google.com/privacy
Opt-out: https://tools.google.com/dlpage/gaoptout
IP anonymization enabled

14.4 Cloud Infrastructure

We use cloud hosting providers for infrastructure:

Providers: AWS, Google Cloud, or similar
Data is encrypted in transit and at rest
Providers are bound by contractual data protection obligations
Providers have SOC 2 and/or ISO 27001 certifications

14.5 Customer Support Tools

We may use third-party tools for customer support:

Support ticketing systems
Live chat software
Your communications may be stored in these systems
Providers are bound by confidentiality obligations

14.6 Communication Services

We use email service providers to communicate with you:

Transactional Email: Account notifications, receipts, security alerts
Marketing Email (with consent): Product updates, feature announcements
You may opt-out of marketing emails but not transactional emails

14.7 Third-Party Links

Our Service may contain links to third-party websites, services, or resources:

We are not responsible for third-party privacy practices
We do not endorse or control third-party services
Review third-party privacy policies before providing information
Your use of third-party services is at your own risk

14.8 Integrations

We may offer integrations with third-party services (e.g., GitHub, Slack):

You authorize data sharing when you enable an integration
Review the third-party service's privacy policy
You can disconnect integrations at any time
We are not responsible for third-party data practices

14.9 Social Media

We may have social media profiles on platforms like Twitter, LinkedIn, etc.:

Information you share on social media is governed by the platform's privacy policy
We may collect publicly available information from your social media profile if you interact with us
Social media interactions are subject to the platform's terms

14.10 Changes to Third Parties

We may add, change, or remove third-party service providers:

We will update this Privacy Policy when we make significant changes
We will notify you of material changes that affect your privacy

14.11 Third-Party Responsibility

We are not responsible for:

Third-party privacy practices
Third-party data security
Third-party compliance with laws
Losses resulting from third-party actions

15. CHANGES TO THIS PRIVACY POLICY

15.1 Right to Modify

We reserve the right to update or modify this Privacy Policy at any time to reflect:

Changes in our data practices
New features or services
Changes in applicable laws
Feedback from users and regulators

15.2 Notification of Changes

For material changes that affect your privacy:

We will provide at least 30 days' advance notice
Notification will be sent via email to your account email address
We will post a prominent notice on our Service
The updated Privacy Policy will include a new "Last Updated" date

15.3 What Constitutes Material Changes

Material changes include:

New categories of personal information collected
New purposes for using personal information
New categories of third parties we share with
Significant changes to data retention periods
Changes to your privacy rights
Changes to security practices that reduce protection

15.4 Non-Material Changes

Non-material changes (e.g., clarifications, formatting, typos) may be made without advance notice. We will still update the "Last Updated" date.

15.5 Your Acceptance

By continuing to use the Service after the effective date of the updated Privacy Policy, you accept the changes.

If you do not agree with the changes:

You may terminate your account before the effective date
You will not be subject to the new policy
See Section 14.2 of our Terms of Service for termination instructions

15.6 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15.7 Previous Versions

We maintain an archive of previous Privacy Policy versions. You may request access to previous versions by contacting privacy@megallm.io.

16. CONTACT US

16.1 Privacy Questions and Concerns

If you have questions, concerns, or complaints about this Privacy Policy or our data practices:

Email: privacy@megallm.io

Subject Line: "Privacy Inquiry"

We will respond within 5 business days.

16.2 Data Protection Officer (If Applicable)

If we have appointed a Data Protection Officer:

Email: dpo@megallm.io

Role: Data protection compliance, GDPR inquiries

16.3 Security Concerns

For security incidents or vulnerabilities:

Email: security@megallm.io

Subject Line: "Security Concern"

For urgent security issues, please mark as "URGENT" in the subject line.

16.4 Privacy Rights Requests

To exercise your privacy rights (access, deletion, correction, etc.):

Email: privacy@megallm.io

Subject Line: "Privacy Rights Request - [Type of Request]"

See Section 7 and Section 11/12 for details on exercising rights.

16.5 General Support

For general account or service questions:

Email: support@megallm.io

16.6 Mailing Address

Ghostlytics Payments, LLC

1111B South Governors Avenue

Dover, DE 19904

United States

16.7 European Union Representative (If Applicable)

If required under GDPR Article 27:

EU Representative: [To be determined if required]
Address: [To be added if required]
Email: [To be added if required]

16.8 Supervisory Authority Complaints

If you believe we have violated your privacy rights, you may file a complaint with:

Your Local Data Protection Authority (EU/EEA/UK)

List of EU authorities: https://edpb.europa.eu/about-edpb/board/members_en

California Attorney General (California residents)

Office of the Attorney General
Privacy Enforcement and Protection Unit
Website: https://oag.ca.gov/privacy

16.9 Response Time

We strive to respond to all inquiries promptly:

General Inquiries: 5 business days
Privacy Rights Requests: 30 days (may extend to 60 days for complex requests)
Security Incidents: 24 hours
Complaints: 10 business days

16.10 Business Hours

Our privacy team is available:

Monday - Friday: 9:00 AM - 5:00 PM IST (Indian Standard Time)
Emergency security issues: 24/7 via security@megallm.io

17. ACKNOWLEDGMENT AND CONSENT

By using the MegaLLM Service, you acknowledge that:

You have read and understood this Privacy Policy
You understand how we collect, use, and share your information
You consent to our data practices as described in this Privacy Policy
You have reviewed our Terms of Service and agree to both documents
You have the authority to provide consent (you are 18+ or have parental consent)
You understand your privacy rights and how to exercise them
You understand the risks and limitations described in this Privacy Policy

If you do not agree with this Privacy Policy, please do not use the Service.

PRIVACY POLICY

TABLE OF CONTENTS

1. INTRODUCTION

1.1 About This Privacy Policy

1.2 Our Commitment to Privacy

1.3 Scope of This Policy

1.4 Agreement to This Policy

1.5 Terms of Service

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

A. Account Registration Information

B. Profile Information

C. Payment Information

D. Communications

E. API Inputs (Prompts)

2.2 Information Collected Automatically

A. Usage Data

B. Device and Technical Information

C. Cookies and Similar Technologies

2.3 Information from Third Parties

A. Authentication Providers

B. Payment Processor

C. Model Providers

2.4 Information We Do NOT Collect

2.5 Inferences and Derived Data

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

A. Provide and Maintain the Service

B. Billing and Payments

C. Improve the Service

D. Communicate with You

E. Security and Fraud Prevention

F. Comply with Legal Obligations

3.2 Legal Basis for Processing (GDPR)

A. Contractual Necessity

B. Legitimate Interests

C. Consent

D. Legal Obligation

3.3 Automated Decision-Making and Profiling

4. HOW WE SHARE YOUR INFORMATION

4.1 We Do Not Sell Your Information

4.2 Sharing with Service Providers

A. Model Providers

B. Infrastructure and Hosting Providers

C. Payment Processors

D. Analytics Providers

E. Communication Tools

F. Security and Fraud Prevention Services

4.3 Sharing for Legal Reasons

A. Legal Compliance

B. Safety and Protection

C. Enforcement

4.4 Business Transfers

4.5 Aggregated and Anonymized Data

4.6 With Your Consent

5. DATA RETENTION

5.1 General Retention Principles

5.2 Account Data

While Your Account is Active:

After Account Deletion:

5.3 API Usage Metadata

Billing Metadata:

Performance and Analytics Metadata:

5.4 API Inputs and Outputs (If Logging Enabled)

If You Enable Logging:

5.5 Support Communications

5.6 Legal and Compliance Retention

5.7 Backups

5.8 Anonymization

6. DATA SECURITY

6.1 Our Security Commitment

6.2 Technical Security Measures

A. Encryption

B. Network Security

C. Access Controls

D. Infrastructure Security

6.3 Organizational Security Measures

A. Security Policies and Procedures

B. Employee Training

C. Background Checks